error 99 for all users

[Tikkoneus]

Hello! I'm trying to use the "local only" set-up with TOTP. I installed the Windows Credential Provider, created a user, and tried to authenticate. I get error 99 "Authentication failed (and other possible unknown errors)" for all users. I get the same message when I try to verify or resync. I tried creating the users with "-create user TOTP pin 0 6 30" and also with "-createga b32_seed" and get the same error. I've confirmed that the TOTP token I'm entering is correct as the time is properly synchronized on the device generating the token and the multiotp host. I can also generate identical tokens from multiple implementations of the TOTP rfc, so I think there's something I've configured wrong about multiOTP causing it not to accept the token. Any ideas?

[multiOTP]

Hello, After you have created a new user, did you see the user file in the multiotp\users folder ? What's happpening when you try to check the user authentication using the command line ?

[Tikkoneus]

Yes, in the "users" folder it creates "user.db" which contains reasonable values. Also multiotp.exe -user-info user shows correct values. Checking the user auth from the command line gives the same error 99.

[Tikkoneus]

I tried tracing through and I see a new process "multiotp -is-without-2fa" which fails with error 7 "user requires a token" as expected. Then another process starts which is php running the windows multiotp php script. It's this latter script which exits with status code 99.

[multiOTP]

Hello, How are you managing the prefix PIN ? Try also to add -debug -display-log when calling multiotp.exe in order to have more debug infromation.

[Tikkoneus]

Apologies, I created the user (I tried -create with all options manually, and -fastcreate, and also -createga) and then aftewards did -set prefix-pin=0 and confirmed with -user-info that the prefix pin is not required.

I did notice in the user.db that there's a pin field as well, generated by random. I tried doing "-set pin=" to set it to empty string, but I still got the same error 99 behavior.

My understanding was that if I use the totp algorithm when I create the user, and I'm not requiring a prefix pin, then I should be able to put the same base 32 seed into any other implementation of the totp rfc and get the correct token?

[multiOTP]

Hello, Could you please provide us the user.db file, we will have a look on it ? You can create a QRcode to be sure that the TOTP is well provisionned: multiotp -qrcode user png_file_name.png After using "-debug -display-log" options for authentication using the command line, what are the log messages ?

[Tikkoneus]

multiotp-database-format-v3
algorithm=totp
attributed_tokens=
autolock_time=0
cache_level=1
cache_lifetime=15552000
challenge:=
challenge_validity=0
create_host=DESKTOP-*snip*2
create_time=1726958297
delta_time=0
desactivated=0
description=
dialin_ip_address=
dialin_ip_mask=
display_name=
email=
email_otp:=
email_validity=0
error_counter=2
group=
key_id=
language=
last_cached_credential=
last_error=1727057676
last_event=-1
last_failed_credential=e964eb444d5*snip*8ebe4cd4a
last_failed_time=1727057676
last_login=0
last_login_for_cache=0
last_success_credential=
last_sync_update=0
last_sync_update_host=
last_update=1727057676
last_update_host=DESKTOP-*snip*2
ldap_hash_cache:=
ldap_hash_validity=0
locked=0
multi_account=0
number_of_digits=6
private_id=
request_ldap_pwd=0
request_prefix_pin=0
scratch_passwords:=
seed_password:=
sms=
sms_otp:=
sms_validity=0
synchronized=0
synchronized_channel=
synchronized_dn=
synchronized_server=
synchronized_time=0
time_interval=30
token_algo_suite=HMAC-SHA1
token_seed:=UzpuYX1QNRQ*snip*NCp3dQ==
token_serial=
user=
user_last_login=0
user_pin:=
user_principal_name=
encryption_hash=99CCFC0D*snip*786A1
delayed_account=
delayed_time=0
delayed_finished=0

[Tikkoneus]

>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 797752

LOG 2024-09-23 21:38:15 warning (user user) User Error: authentication failed (using Credential Provider) for user user

LOG 2024-09-23 21:38:15 warning (user user) User Info: *(authentication typed by the user: 797752)
99 *ERROR: Authentication failed (and other possible unknown errors)

LOG 2024-09-23 21:38:15 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
multiOTP Credential Provider mode

[multiOTP]

Hello,

It seems that the generated code is not the good one. In developer mode, set developer_mode=1, and call the same CLI line. Time on the server is synchronized ? In the correct time zone ? Time on the token generator is syncrhonized ? Did you make the provisioning with the QRcode generated ?

Timestamp in ini file : 1727057676 = GMT: Monday 23 September 2024 02:14:36 (posted at about 2024-09-24 01:35 GMT) Log display: 2024-09-23 21:38:15 (posted at about 2024-09-23 01:35 GMT)

In which timezone are you ?

Regards,

[multiOTP]

To check if it is a time zone issue, try to change the following entry in the multiotp.ini (temporary only): max_time_window=600 -> max_time_window=86400

[Tikkoneus]

The timezone listed in the multiotp.ini file is America\New_York. That matches the timezone set on the host running multiotp and on the device I'm using to generate tokens. What should it be set to?

I did try setting the max_time_window to 86400 and still got the same error.

[Tikkoneus]

When I try changing the timezone in the multiotp.ini I instead receive authentication failed (using Credential Provider) for user (time based token probably out of sync). If I restore the timezone to America/New_York then I get error 99. This leads me to believe it's not a timezone issue?

[multiOTP]

Hello, When you receive authentication failed (using Credential Provider) for user (time based token probably out of sync), that means the OTP code is correct and inside a time windows up to 10x bigger than it should be (if it's out of this 10x range, it don't check the windows timezone anymore and just says that the code is wrong). Is your host in the correct timezone ? Is your TOTP generator in the correct timezone ?

[Tikkoneus]

I'm really pulling my hair out on this one. There something really unpredictable (not reproducible) going on. I completely uninstalled multiotp credential provider and reinstalled it. The ONLY change I made was to modify the multiotp.ini file to have a max_time_window of 1,000,000. I got this:

>"c:\Program Files\multiOTP\multiotp.exe" -delete user
>"c:\Program Files\multiOTP\multiotp.exe" -create user totp <b32_seed> 0 6 30
>"c:\Program Files\multiOTP\multiotp.exe" -set user prefix-pin=0
>"c:\Program Files\multiOTP\multiotp.exe" -set user pin=
>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 938072
LOG 2024-09-28 19:34:22 notice (user user) User OK: User user successfully logged in (using Credential Provider) with TOTP token
0 *OK: Token accepted
multiOTP Credential Provider mode

>"c:\Program Files\multiOTP\multiotp.exe" -delete user
>"c:\Program Files\multiOTP\multiotp.exe" -create user totp <b32_seed> 0 6 30
>"c:\Program Files\multiOTP\multiotp.exe" -set user prefix-pin=0
>"c:\Program Files\multiOTP\multiotp.exe" -set user pin=
>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 543201
LOG 2024-09-28 19:34:46 warning (user user) User Error: authentication failed (using Credential Provider) for user user
LOG 2024-09-28 19:34:46 warning (user user) User Info: *(authentication typed by the user: 543201)
99 *ERROR: Authentication failed (and other possible unknown errors)
LOG 2024-09-28 19:34:46 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
multiOTP Credential Provider mode

Creating a user from scratch and using a Google Authenticator (known-good) token worked the first time and failed the second time. What other settings could be affecting this?